EmailDeemed “the weapon of choice,” one in 131 emails sent in 2016 contained a malware-laden link or attachment – the highest rate in five years. Malicious email is “a proven attack channel,” reports Symantec. “It doesn’t rely on vulnerabilities, but instead uses simple deception to lure victims into opening attachments, following links, or disclosing their credentials.” Burgeoning trends in what awaits in your inbox:

Spear-phishing attacks aimed to defraud specific people rather than more widely distributed generic messages. Often disguised as routine correspondence such as invoices or delivery notifications, one spear-phishing campaign – spoofed emails instructing targets to reset Gmail account passwords – provided access to Hillary Clinton’s campaign chairman John Podesta’s account and resulted in hacked emails revealed by WikiLeaks during the 2016 presidential election.

Business email compromise (BEC) scams, which rely on carefully composed spear-phishing emails that target more than 400 companies each day, scamming more than $3 billion over the last three years.

A growing proportion of spam – roughly 53 percent of all emails sent – now contains malware.

RansomwareOften initiated by email, ransomware attacks increased 36 percent worldwide in 2016 to seize control of personal computers and institution-wide networks, encrypting hostage files to make them inaccessible until a ransom is paid for their release. Termed by Symantec as “the most dangerous cyber crime threat facing consumers and businesses in 2016,” the company identified 101 new “ransomware families” last year – tripling previous numbers.

Another three-fold increase: The demanded ransom amount – an average of $1,077 per victim compared to just $294 in 2015. The U.S. is the most targeted and lucrative market, says Symantec, with 64 percent of American victims willing to pay a ransom to regain their files, compared to 34 percent globally.

Data BreachesAlthough the total number of data breaches decreased last year – 1,209 compared to 1,211 in 2015 and 1,523 in 2014 – they now have a bigger impact. Symantec says that last year, some 1.1 billion identities were exposed, an average of 927,000 per attack; that’s twice the 2015 rates on both counts. In 2016, there were 15 individual breaches in which more than 10 million identities were exposed, up from 13 in 2015.

“Smart Home” DevicesWith weak factory-issued default passwords that are rarely changed (or can’t be), smartphone app-controlled household devices including thermostats, security cameras, door locks, sprinkler systems and even coffee makers are a worrisome new frontier in computer crimes. Such Internet of Things (IoT) gizmos are already in millions of Americans homes, with predictions that some 50 billion devices will be employed by decade’s end.

Already, millions IoT devices have been hacked, typically enlisted as soldiers in a botnet army that, last October, temporarily knocked offline top websites including Amazon, PayPal, Netflix and Twitter. Some experts suspect this was a test attack to gauge (and prove) their vulnerabilities.

Most often hacked are IoT devices with these passwords, so if you can change them, do so ASAP: “Admin” and “root” lead the list in attempts to log in to the Symantec honeypot (a security technique used to attract swindlers and learn their practices), followed by “123456,” “12345,” “password,” “1234,” “admin123,” “test,” and “abc123.” The default password for the Ubiquiti brand of routers – “ubnt” – was also in the top 10, reinforcing the wisdom of having a unique (and strong) password for your home router as well as each smart home device.

For information about other scams, sign up for the Fraud Watch Network. You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud, and keep tabs of scams and law enforcement alerts in your area at our Scam-Tracking Map.